The Samsung QN90D is one of the newest additions to the brand’s lineup, offering plenty of reasons to upgrade. Along with 4K resolution, you’ll get a base refresh rate of 120Hz that can be boosted to 144Hz for PC or console gaming as well as UHD streaming. It also offers virtual 3D surround sound with support for Dolby Atmos and Samsung’s Object Tracking Sound Lite technology for a more immersive experience. You can set up a virtual assistant via Alexa, Samsung’s Bixby, or Hey Google for hands-free controls over your new TV. And console gamers can take advantage of AMD FreeSync Premium Pro VRR technology to help prevent screen tearing and stuttering that can ruin your game. It also supports Samsung’s Multi View feature, which lets you watch up to 2 additional video sources simultaneously with your game, movie, or show; which is great for fantasy sports leagues, game walkthroughs, and catching up with the news while streaming music or following along with a workout.Samsung QN90D tech specs: Panel type: Neo QLED | HDR: Neo Quantum HDR+ | Audio: Dolby Atmos, Object Tracking Sound Lite | Refresh rate: Up to 144Hz | Voice controls: Alexa, Bixby, Hey Google | Connectivity: Wi-Fi, Bluetooth, 4x HDMI, 2x USB, RF, Optical  More

Cyberattackers have turned to search engine optimization (SEO) techniques to deploy malware payloads to as many victims as possible. 

ZDNet Recommends

According to Sophos, the so-called search engine “deoptimization” method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google’s rankings. 
SEO optimization is used by webmasters to legitimately increase their website’s exposure on search engines such as Google or Bing. However, Sophos says that threat actors are now tampering with the content management systems (CMS) of websites to serve financial malware, exploit tools, and ransomware. 
In a blog post on Monday, the cybersecurity team said the technique, dubbed “Gootloader,” involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads. 
The use of SEO as a technique to deploy Gootkit RAT is not a small operation. The researchers estimate that a network of servers — 400, if not more — must be maintained at any given time for success. 
While it isn’t known if a particular exploit is used to compromise these domains in the first place, the researchers say that CMSs running the backend of websites could have been hijacked via malware, stolen credentials, or brute-force attacks. 

Once the threat actors have obtained access, a few lines of code are inserted into the body of website content. Checks are performed to ascertain whether the victim is of interest as a target — such as based on their IP and location — and queries originating from Google search are most commonly accepted. 

Websites compromised by Gootloader are manipulated to answer specific search queries. Fake message boards are a constant theme in hacked websites observed by Sophos, in which “subtle” modifications are made to “rewrite how the contents of the website are presented to certain visitors.”
“If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” Sophos says.
If the attackers’ criteria aren’t met, the browser will display a seemingly-normal web page — that eventually dissolves into garbage text. 
A fake forum post will then be displayed containing an apparent answer to the query, as well as a direct download link. In one example discussed by the team, the website of a legitimate neonatal clinic was compromised to show fake answers to questions relating to real estate. 

Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file. 
The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads. 
According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States. 
“At several points, it’s possible for end-users to avoid the infection, if they recognize the signs,” the researchers say. “The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

NSO
The University of Toronto’s Citizen Lab along with Access Now have found the Pegasus spyware developed by the now-sanctioned NSO Group was used to target journalists and non-government organisations operating in El Salvador. In total, the investigation found 35 individuals were targeted across 37 devices, with Citizen Lab having a high degree of confidence that data was exfiltrated from devices belonging to 16 targets. “In several cases, Pegasus apparently exfiltrated multiple gigabytes of data successfully from target phones using their mobile data connections,” Citizen Lab said in a blog post. “We observed extensive targeting using zero-click exploits, however we also identified specific instances in which targets were sent one-click infection links via SMS message.” One of the zero-click exploits was the same iMessage Kismet exploit sold by NSO Group to target Al Jazeera employees, which was patched in iOS 14, and the other was ForcedEntry, which led to Apple notifying users they could have been the target of state-sponsored hacking. Many of the Salvadorian targets received such notifications, Citizen Lab said. “The Kismet exploit has not yet been publicly captured and analyzed, but appeared to involve the use of JPEG attachments, as well as iMessage’s IMTranscoderAgent process invoking a WebKit instance,” Citizen Lab said.”Additionally, we recovered a copy of the ForcedEntry exploit from one of the phones. The exploit appears to have been fired at a phone with iOS 14.8.1, which is not vulnerable to ForcedEntry. The exploit does not appear to have run on the phone.

“It is unclear why the exploit was fired at a non-vulnerable iOS version, though it is possible that NSO operators cannot always determine the precise iOS version used by the target before firing an exploit.” See also: NSO spyware used to hack Polish politicians, Khashoggi’s wife, others Apple is currently suing NSO Group over its use of Pegasus and seeking a permanent injunction that bans NSO Group from using any Apple software, services, or devices. Citizen Lab stopped short of pointing the finger at the El Salvador government and President Nayib Bukele, but said there was a “range of circumstantial evidence pointing to a strong El Salvador government nexus”. Backing up this claim, Citizen Lab said the targets were working on sensitive domestic issues surrounding the government, such as El Faro reporting Bukele’s administration was negotiating with leaders of gang MS-13 to reduce homicides in the country, prison privileges. and “long-term pledges tied to the results of congressional elections in 2021”. Citizen Lab also said the operator had a “near-total focus of infections” within the country. “Through our ongoing Internet scanning and DNS cache probing, we identified a Pegasus operator focusing almost exclusively within El Salvador,” Citizen Lab said. “We first observed this operator in early 2020, though the domain names associated with the operator appear to have been registered as early as November 2019.” Citizen Lab said if Pegasus was sold into El Salvador, it was done despite warning signs that abuse would have take place including: An autocratic-leaning President with a fascination with digital technology; a long history of harassment of independent media and journalists; a climate of insecurity and human rights abuses; poorly regulated police, intelligence, and private security firms; and a lengthy history of corruption, organized crime, state violence, and authoritarianism. For its part, El Faro reported two-thirds of its staff were hit, which included journalists, administration staff, and board members. “When the hacks occurred, the journalists were working on investigations, for example, into the Bukele administration’s negotiation with gangs, the theft of pandemic-related food relief by the director of prisons and his mother, the Bukele brothers’ secret negotiations related to the implementation of bitcoin, the financial holdings of officials in the current government, the government pandemic response, or a profile of President Nayib Bukele,” the outlet said. During 2021, El Salvador adopted bitcoin as legal tender, and Bukele said in November he wanted to create a Volcano-powered Bitcoin City. Related Coverage More

A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed. 

The catastrophic SolarWinds security incident involved the compromise of the vendor’s network and later the deployment of malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. Sunspot, designed to monitor the SolarWinds build server for Orion assembly, was also found in January by CrowdStrike and is thought to be one of the preliminary tools used to pull off the attack.In total, an estimated 18,000 companies received the malicious update, with a smaller number of high-profile targets — including Microsoft, FireEye, and a number of federal government agencies — being selected for compromise over 2020.The White House, together with the UK government, has blamed the intrusion on state-backed Russian cybercriminals, APT29/Cozy Bear (campaign tracked as UNC2452). On Thursday, RiskIQ researchers published a report on the network infrastructure footprint of SolarWinds-linked cyberattackers, labeling it as “significantly larger than previously identified.”According to the cybersecurity company, the Sunburst/Solorigate backdoor was designed to “identify, avoid, or disable different security products,” with a particular focus on circumventing antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure in the first stage of infection. 

“For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them,” RiskIQ says. The second and third stages included custom droppers (Teardrop/Raindrop) and the deployment of additional malware alongside Cobalt Strike. Implants for persistence with components dubbed Goldmax/GoldFinder/Sibot, as well as Sunshuttle, have also been connected to these stages.  Now, RiskIQ’s Team Atlas has identified an additional 18 servers linked to the SolarWinds espionage campaign, a number the firm says represents a “56% increase in the size of the adversary’s known command-and-control footprint.” The new C2s were discovered by mapping the second stage of deployment; in particular, modified beacons associated with Cobalt Strike. While this pattern itself is not uncommon, the team correlated this online data — containing over 3,000 results — with SSL certificates recorded as in use by the SolarWinds hackers.  “[This] became highly unique when correlated with the SSL patterns,” RiskIQ says. “The result was the identification of a significant number of additional malicious servers.” RiskIQ added that the findings will “likely lead to newly identified targets.” US-CERT was made aware of RiskIQ’s findings prior to public disclosure. Last month, Swiss cybersecurity firm Prodaft published a report on SilverFish, a sophisticated threat group thought to be responsible for intrusions at over 4,700 organizations including Fortune 500 companies.  SilverFish was connected to SolarWinds attacks as “one of many” APTs jumping on the incident. The group’s digital infrastructure has also revealed potential links to campaigns involving TrickBot and WastedLocker. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Crowdstrike on Tuesday published its second quarter financial results, beating market estimates with solid growth from subscription customers. The cybersecurity company added 1,660 net new subscription customers in the quarter for a total of 13,080 subscription customers as of July 31. That represents 81% year-over-year growth. Subscription revenue was $315.8 million, a 71% increase. Crowdstrike’s total Q2 revenue was $337.7 million, a 70% increase over a year prior. Non-GAAP net income came to $25.9 million or 11 cents per share. Analysts were expecting earnings of 9 cents per share on revenue of $323.16 million. “CrowdStrike delivered an outstanding second quarter with rapid subscription revenue growth and record net new ARR generated in the quarter,” CEO and co-founder George Kurtz said in a statement. “The success of our platform strategy and our growing brand leadership have led to a groundswell of customers turning to CrowdStrike as their trusted security platform of record. We believe that our extensible Falcon platform, purpose-built to leverage the power of the cloud, collecting data once and reusing it many times, is a fundamental cornerstone to building a durable growth business over the long-term.” Crowdstrike’s annual recurring revenue (ARR) increased 70% year-over-year and grew to $1.34 billion as of July 31. Of that, $150.6 million was net new ARR added in the quarter. In addition to adding a record number of net new subscribers in the quarter, Crowdstrike reported solid growth in the portion of subscribers adopting multiple modules. CrowdStrike’s subscription customers that have adopted four or more modules, five or more modules and six or more modules increased to 66%, 53%, and 29%, respectively, as of July 31. 

For the third quarter, the company expects total revenue in the range of $358 million to $365.3 million.

Tech Earnings More